[usrusr]

In the Java world we have the Maven repository dependency aggregators like mvnrepository.com that accidentally serve as some kind of citeseer equivalent. I assume similar things exist for the package managers of other languages as well?

But obviously most commercial usage remains invisible. I could imagine a hybrid cultural/technological approach were dev teams publish/are allowed to publish at least usage metadata were they can't publish source (or actually contribute).

There's a huge tie-in with security, I remember heated discussions were one side tries to establish this as an audit mechanism ("how vulnerable is product x really, in terms of outdated dependencies?") and incentive for updating, while the other side is crazy scared of punishing a list of potential attack surfaces. Perhaps the implied attribution benefit should become part this discussion as well?

[josephg]

For javascript packages, npm lists which other packages which depend on any given package, and how many times a package was downloaded in the last week. That gives you a rough sense of usage, but it can also be super mysterious.

As an example, here's a package I wrote which I haven't touched in 3 years: https://www.npmjs.com/package/jumprope

There are no projects on npm which depend on this, and yet it gets downloaded about 3000 times per week. Who's using it? I have no idea. Are they running into any problems? I suppose not, I mean, there aren't any issues on github. Its kinda spooky.

[usrusr]

Thanks, just like I expected. Hopefully every at least remotely modern dependency/package manager has some sort of citeseer equivalent in its ecosystem.

And your last paragraph nicely illustrates the blindness we get from closed projects/products not publishing their dependency metadata. I suppose that for client side js a tiny subset of usage stats could be generated by CDN distribution, but repackaging is a thing (and for good reason, in many cases)

[rightbyte]

   Rope took 5610 ms. 0.001122 ms per iteration, 891k iterations per second
   JS toString took 3463 ms. 0.003463 ms per iteration, 288k iterations per second

I guess you have a typo there in total time?

[ratww]

You can possibly find some users in Github: https://github.com/search?q=jumprope+filename%3Apackage.json...

[ianwalter]

I really wish GitHub would invest more in the dependency graph, like allow you to sort by stars at least: https://github.com/josephg/jumprope/network/dependents

[josephg]

Oh good idea! It looks like Github also tracks a project's dependancy tree explicitly, though those 3000 downloads per week remain a mystery:

https://github.com/josephg/jumprope/network/dependents

[ianwalter]

I've heard that the vast majority of those downloads are from CI systems. It would be cool if GitHub could draw anonymous metrics from GitHub Actions and help with this mystery.